diff --git a/manifests/config.pp b/manifests/config.pp
index de04efd8..b58c4240 100644
--- a/manifests/config.pp
+++ b/manifests/config.pp
@@ -80,10 +80,13 @@
       }
     }
 
-    exec { "change-selinux-status-to-${_real_mode}":
-      command => "setenforce ${sestatus}",
-      unless  => "getenforce | grep -Eqi '${_real_mode}|disabled'",
-      path    => '/bin:/sbin:/usr/bin:/usr/sbin',
+    # setenforce only works when SELinux itself is enabled
+    if $_real_mode in ['enforcing','permissive'] {
+      exec { "change-selinux-status-to-${_real_mode}":
+        command => "setenforce ${sestatus}",
+        unless  => "getenforce | grep -Eqi '${_real_mode}|disabled'",
+        path    => '/bin:/sbin:/usr/bin:/usr/sbin',
+      }
     }
   }
 
diff --git a/spec/classes/selinux_config_mode_spec.rb b/spec/classes/selinux_config_mode_spec.rb
index 11c7da29..5970a7f5 100644
--- a/spec/classes/selinux_config_mode_spec.rb
+++ b/spec/classes/selinux_config_mode_spec.rb
@@ -59,7 +59,6 @@
 
           it { is_expected.to contain_file('/var/lib/puppet/puppet-selinux') }
           it { is_expected.to contain_file_line('set-selinux-config-to-disabled').with(line: 'SELINUX=disabled') }
-          it { is_expected.to contain_exec('change-selinux-status-to-disabled').with(command: 'setenforce 0') }
           it { is_expected.not_to contain_file('/.autorelabel') }
         end